revbump to glance-2012.2.3-r1 for bug 461750 CVE-2013-1840

(Portage version: 2.1.11.52/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

3 files changed, 45 insertions, 2 deletions

diff --git a/app-admin/glance/ChangeLog b/app-admin/glance/ChangeLog
index d55f56f8c886..a27ebddc2096 100644
--- a/app-admin/glance/ChangeLog
+++ b/app-admin/glance/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for app-admin/glance
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/glance/ChangeLog,v 1.2 2013/02/07 18:02:58 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-admin/glance/ChangeLog,v 1.3 2013/03/14 21:07:12 prometheanfire Exp $
+
+*glance-2012.2.3-r1 (14 Mar 2013)
+
+  14 Mar 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/glance-folsom-3-CVE-2013-1840.patch, -glance-2012.2.3.ebuild,
+  +glance-2012.2.3-r1.ebuild:
+  revbump to glance-2012.2.3-r1 for bug 461750 CVE-2013-1840
 
 *glance-2012.2.3 (07 Feb 2013)
 
diff --git a/app-admin/glance/files/glance-folsom-3-CVE-2013-1840.patch b/app-admin/glance/files/glance-folsom-3-CVE-2013-1840.patch
new file mode 100644
index 000000000000..3299442cb0de
--- /dev/null
+++ b/app-admin/glance/files/glance-folsom-3-CVE-2013-1840.patch
@@ -0,0 +1,32 @@
+From dd849a9be540bedd4fd904cc0b86ccd9c3e34af2 Mon Sep 17 00:00:00 2001
+From: Stuart McLaren <stuart.mclaren@hp.com>
+Date: Thu, 14 Mar 2013 13:43:36 +0000
+Subject: [PATCH] Do not return location in headers
+
+In some cases credentials were being leaked when downloading a cached
+v1 image.
+
+Fixes bug 1135541, CVE-2013-1840
+
+Change-Id: I3ec0a8f484fe1bdc32c3c56fce810fcef347a7f6
+---
+ glance/api/middleware/cache.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/glance/api/middleware/cache.py b/glance/api/middleware/cache.py
+index 8e24ef0..dcd59b6 100644
+--- a/glance/api/middleware/cache.py
++++ b/glance/api/middleware/cache.py
+@@ -111,6 +111,9 @@ class CacheFilter(wsgi.Middleware):
+ 
+     def _process_v1_request(self, request, image_id, image_iterator):
+         image_meta = registry.get_image_metadata(request.context, image_id)
++        # Don't display location
++        if 'location' in image_meta:
++            del image_meta['location']
+ 
+         if not image_meta['size']:
+             # override image size metadata with the actual cached
+-- 
+1.8.1.5
+
diff --git a/app-admin/glance/glance-2012.2.3.ebuild b/app-admin/glance/glance-2012.2.3-r1.ebuild
index 7a35f339312e..657b52e4dba2 100644
--- a/app-admin/glance/glance-2012.2.3.ebuild
+++ b/app-admin/glance/glance-2012.2.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/glance/glance-2012.2.3.ebuild,v 1.1 2013/02/07 18:02:58 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-admin/glance/glance-2012.2.3-r1.ebuild,v 1.1 2013/03/14 21:07:12 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -47,6 +47,10 @@ RDEPEND="${DEPEND}
 	postgres? ( dev-python/sqlalchemy[postgres] )
 	ldap? ( dev-python/python-ldap )"
 
+PATCHES=(
+			"${FILESDIR}/glance-folsom-3-CVE-2013-1840.patch"
+)
+
 python_install() {
 	distutils-r1_python_install
 	newconfd "${FILESDIR}/glance.confd" glance